OceanLotus Targets PyPI: ZiChatBot Malware Delivered via Deceptive Python Packages

This Q&A provides insights into a sophisticated supply chain attack discovered in July 2025, where threat actors linked to the OceanLotus group uploaded malicious wheel packages to PyPI. These packages, disguised as legitimate libraries, delivered a new malware family named ZiChatBot, which uses the Zulip team chat platform for command and control. Below, we address key questions about the campaign, its mechanics, and implications.

What Is the OceanLotus Attack on PyPI?

In July 2025, security researchers identified a series of malicious wheel packages uploaded to the Python Package Index (PyPI). After sharing this information with the public security community, the packages were removed. Analysis by Kaspersky Threat Attribution Engine (KTAE) linked these packages to OceanLotus, a known advanced persistent threat group. The packages, such as uuid32-utils, colorinal, and termncolor, mimicked popular libraries but covertly delivered a new malware strain called ZiChatBot. This malware targets both Windows and Linux systems using DLL or SO files. The attackers also created a benign-looking package containing the malicious one as a dependency, making this a carefully planned supply chain attack.

OceanLotus Targets PyPI: ZiChatBot Malware Delivered via Deceptive Python Packages — Source: securelist.com

How Did the Attackers Spread the Malicious Packages?

The attackers created three projects on PyPI and uploaded wheel packages designed to imitate popular libraries. For instance, uuid32-utils claimed to generate a 32-character random UUID, colorinal promised cross-platform color terminal text, and termncolor offered ANSI color format output. Each package had a corresponding pip install command, with first upload dates starting July 16, 2025. The authors used email addresses from tutamail.com and proton.me to register accounts. Distribution options included X86 and X64 versions for Windows and x86_64 for Linux, as seen on the colorinal project page. Users inadvertently downloaded these packages thinking they were legitimate utilities, leading to infection.

What Is ZiChatBot and How Does It Operate?

ZiChatBot is a previously unknown malware family discovered during this campaign. Unlike traditional malware that communicates with a dedicated command and control (C2) server, ZiChatBot leverages REST APIs from the public team chat application Zulip as its C2 infrastructure. This makes detection more challenging because traffic blends with legitimate Zulip usage. The malware is delivered via dropper packages that extract and execute either a .DLL (on Windows) or .SO (on Linux) payload. Once active, ZiChatBot can perform various malicious activities under the guise of normal Zulip API communications, evading standard network monitoring tools.

Why Is This Considered a Supply Chain Attack?

This attack qualifies as a supply chain attack because the threat actors compromised the software supply chain of Python developers. By uploading fake but functional libraries to PyPI, they tricked developers into downloading and installing malicious code as part of their projects. The packages did implement the advertised features (e.g., string generation or color terminal output), but their true purpose was to drop ZiChatBot as a hidden payload. Additionally, the attackers created a benign-looking package that listed the malicious package as a dependency, further spreading the malware. This method targets the trust users place in public repositories, a classic supply chain vector.

What Technical Details Did the Analysis Reveal?

Analysis focused on the colorinal library as a representative example, since uuid32-utils and colorinal share similar infection chains. The malicious wheel package includes files disguised as legitimate Python code but contains a dropper that extracts a shared library (.DLL or .SO). Key metadata from PyPI includes: upload dates ranging from July 16 to July 22, 2025; author emails like laz****@tutamail.com and sym****@proton.me; and distribution options for Windows (X86, X64) and Linux (x86_64). The packages were designed to appear trustworthy while silently activating the ZiChatBot payload upon installation. The use of Zulip APIs for C2 marks an evolution in evasion techniques.

How Can Developers Protect Themselves from Such Attacks?

Developers should adopt several best practices to mitigate risks from PyPI supply chain attacks. First, verify package authenticity by checking download counts, author reputation, and recent update history. Use tools like pip-audit or safety checks to scan for known vulnerabilities. Consider pinning package versions to avoid unexpected updates that may introduce malware. Additionally, monitor network traffic for unusual API calls to services like Zulip that are not part of your infrastructure. Finally, report any suspicious packages to the PyPI maintainers and to security researchers. Vigilance and automated scanning are key to preventing infections from deceptive packages like those used in this OceanLotus campaign.

What Are the Broader Implications for the Python Community?

This campaign highlights the growing threat of targeted supply chain attacks on package repositories. OceanLotus's use of PyPI to deliver ZiChatBot demonstrates how even well-vetted platforms can be exploited by determined adversaries. The malware's reliance on Zulip’s public APIs for C2 also signals a shift toward using legitimate services for malicious purposes, making detection harder. For the Python community, this underscores the need for enhanced security measures such as two-factor authentication for package maintainers, more rigorous package review processes, and adoption of software bill of materials (SBOM) practices. Proactive threat hunting and collaboration between researchers and platform operators remain essential to defending against such sophisticated attacks.